CVE-2022-49070

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49070
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49070.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-49070
Downstream
Related
Published
2025-02-26T01:54:36Z
Modified
2025-10-21T09:04:54.745408Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
fbdev: Fix unregistering of framebuffers without device
Details

In the Linux kernel, the following vulnerability has been resolved:

fbdev: Fix unregistering of framebuffers without device

OF framebuffers do not have an underlying device in the Linux device hierarchy. Do a regular unregister call instead of hot unplugging such a non-existing device. Fixes a NULL dereference. An example error message on ppc64le is shown below.

BUG: Kernel NULL pointer dereference on read at 0x00000060 Faulting instruction address: 0xc00000000080dfa4 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGESIZE=64K MMU=Hash SMP NRCPUS=2048 NUMA pSeries [...] CPU: 2 PID: 139 Comm: systemd-udevd Not tainted 5.17.0-ae085d7f9365 #1 NIP: c00000000080dfa4 LR: c00000000080df9c CTR: c000000000797430 REGS: c000000004132fe0 TRAP: 0300 Not tainted (5.17.0-ae085d7f9365) MSR: 8000000002009033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 28228282 XER: 20000000 CFAR: c00000000000c80c DAR: 0000000000000060 DSISR: 40000000 IRQMASK: 0 GPR00: c00000000080df9c c000000004133280 c00000000169d200 0000000000000029 GPR04: 00000000ffffefff c000000004132f90 c000000004132f88 0000000000000000 GPR08: c0000000015658f8 c0000000015cd200 c0000000014f57d0 0000000048228283 GPR12: 0000000000000000 c00000003fffe300 0000000020000000 0000000000000000 GPR16: 0000000000000000 0000000113fc4a40 0000000000000005 0000000113fcfb80 GPR20: 000001000f7283b0 0000000000000000 c000000000e4a588 c000000000e4a5b0 GPR24: 0000000000000001 00000000000a0000 c008000000db0168 c0000000021f6ec0 GPR28: c0000000016d65a8 c000000004b36460 0000000000000000 c0000000016d64b0 NIP [c00000000080dfa4] doremoveconflictingframebuffers+0x184/0x1d0 [c000000004133280] [c00000000080df9c] doremoveconflictingframebuffers+0x17c/0x1d0 (unreliable) [c000000004133350] [c00000000080e4d0] removeconflictingframebuffers+0x60/0x150 [c0000000041333a0] [c00000000080e6f4] removeconflictingpciframebuffers+0x134/0x1b0 [c000000004133450] [c008000000e70438] drmapertureremoveconflictingpciframebuffers+0x90/0x100 [drm] [c000000004133490] [c008000000da0ce4] bochspciprobe+0x6c/0xa64 [bochs] [...] [c000000004133db0] [c00000000002aaa0] systemcallexception+0x170/0x2d0 [c000000004133e10] [c00000000000c3cc] systemcallcommon+0xec/0x250

The bug [1] was introduced by commit 27599aacbaef ("fbdev: Hot-unplug firmware fb devices on forced removal"). Most firmware framebuffers have an underlying platform device, which can be hot-unplugged before loading the native graphics driver. OF framebuffers do not (yet) have that device. Fix the code by unregistering the framebuffer as before without a hot unplug.

Tested with 5.17 on qemu ppc64le emulation.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c894ac44786cfed383a6c6b20c1bfb12eb96018a
Fixed
2388f826cdc9af2651991adc0feb79de9bdf2232
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9565a3b5203a4d57acbc1d0e981c6df71864b4ab
Fixed
de33df481545974ba47c46f05194e769e4307843
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4d695d7c276f15adb1d2b64c584c3cf8f4f9e9ce
Fixed
feed87ff122b1640c221d4dd559442ab2cd50bb1
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
27599aacbaefcbf2af7b06b0029459bbf682000d
Fixed
0f525289ff0ddeb380813bd81e0f9bdaaa1c9078

Affected versions

v5.*

v5.15.33
v5.16
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.19
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.2
v5.18-rc1

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0f525289ff0ddeb380813bd81e0f9bdaaa1c9078",
        "target": {
            "function": "do_remove_conflicting_framebuffers",
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "function_hash": "110680003049819475106851452107316358848",
            "length": 739.0
        },
        "id": "CVE-2022-49070-12213dcb",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2388f826cdc9af2651991adc0feb79de9bdf2232",
        "target": {
            "function": "do_remove_conflicting_framebuffers",
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "function_hash": "110680003049819475106851452107316358848",
            "length": 739.0
        },
        "id": "CVE-2022-49070-328b4ae9",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@feed87ff122b1640c221d4dd559442ab2cd50bb1",
        "target": {
            "function": "do_remove_conflicting_framebuffers",
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "function_hash": "110680003049819475106851452107316358848",
            "length": 739.0
        },
        "id": "CVE-2022-49070-9f52c8ad",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2388f826cdc9af2651991adc0feb79de9bdf2232",
        "target": {
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "112019731791703590661421673761718644657",
                "28340330553574970111357445878230904454",
                "252216177039328829196746792797177152904",
                "201114723858566113025206762383279739470"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-49070-b8849233",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@feed87ff122b1640c221d4dd559442ab2cd50bb1",
        "target": {
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "112019731791703590661421673761718644657",
                "28340330553574970111357445878230904454",
                "252216177039328829196746792797177152904",
                "201114723858566113025206762383279739470"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-49070-bbd8fc78",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0f525289ff0ddeb380813bd81e0f9bdaaa1c9078",
        "target": {
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "112019731791703590661421673761718644657",
                "28340330553574970111357445878230904454",
                "252216177039328829196746792797177152904",
                "201114723858566113025206762383279739470"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-49070-cc076d73",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@de33df481545974ba47c46f05194e769e4307843",
        "target": {
            "function": "do_remove_conflicting_framebuffers",
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "function_hash": "110680003049819475106851452107316358848",
            "length": 739.0
        },
        "id": "CVE-2022-49070-e87d9a1d",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@de33df481545974ba47c46f05194e769e4307843",
        "target": {
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "112019731791703590661421673761718644657",
                "28340330553574970111357445878230904454",
                "252216177039328829196746792797177152904",
                "201114723858566113025206762383279739470"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-49070-f5ed6f5e",
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.15.33
Fixed
5.15.34
Type
ECOSYSTEM
Events
Introduced
5.16.19
Fixed
5.16.20
Type
ECOSYSTEM
Events
Introduced
5.17.2
Fixed
5.17.3